Skip to main content

Disabling TLS 1.0 on Warwick web applications

From 23 May 2017 onwards, we will disable the TLS 1.0 encryption protocol across the University's web services. Disabling TLS 1.0 prevents it from being used to access Warwick websites via an insecure web browser or application. We're making this change to keep the University's websites safe and secure.

When does this happen?

Date Action
Tuesday 23 May 2017 Customers making an online payment can only do so using a browser that supports TLS v1.2. This is due to changes made by our payment solution supplier.
Monday 3 July 2017 We disabled TLS v1.0 connections to our transaction tracking system onlinepayment.warwick.ac.uk
Tuesday 8 August 2017 We disabled TLS v1.0 connections to Single Sign-on and our identity provider. It's no longer possible to sign in to web services using a browser that only supports TLS v1.0.
Monday 8 January 2018 We will disable TLS v1.0 connections to all other web services.

What do I need to do to prepare?

When accessing websites using a web browser, ensure you use the latest available version of the browser – whether that is Internet Explorer, Google Chrome, Mozilla Firefox, Safari or another browser. Using the latest version keeps you safe online because you're using the most up-to-date security settings.

For detailed information on how his change will impact you, and the actions we recommend you take, please refer to the following pages:

Why is this happening?

Although TLS 1.0, when configured properly, has no known security vulnerabilities, newer protocols are designed better to address the potential for new vulnerabilities.

The PCI Data Security Standard 3.1 recommends disabling “early TLS”:

“SSL and early TLS are not considered strong cryptography and cannot be used as a security control after June 30, 2016 [without a mitigation strategy for disabling it before June 2018].

[...]

The best response is to disable SSL entirely and migrate to a more modern encryption protocol, which at the time of publication is a minimum of TLS v1.1, although entities are strongly encouraged to consider TLS v1.2.”

We need to be PCI-compliant to take online payments at the University. It is not sufficient to merely disable TLS 1.0 on our transaction tracking system as the requirement extends to any system that initiates a payment, including car parking, printer credits, the Warwick website, etc.

For the best experience using our applications, we recommend that you use the latest version of one of the following browsers:

Google Chrome

Google Chrome

Mozilla Firefox

Mozilla Firefox

Internet Explorer

Internet Explorer 11

Edge

Edge

Opera

Opera

Safari

Apple Safari for Mac (Safari on Windows is not supported)